cryptexctl-create(1) BSD General Commands Manual cryptexctl-create(1) NAME cryptexctl create -- create a cryptex from a disk image SYNOPSIS cryptexctl create [--replace] --identifier IDENTIFIER --version VERSION PATH-TO-DMG cryptexctl create [--identity IDENTITY-PLIST] [--replace] --identifier IDENTIFIER --version VERSION PATH-TO-DMG cryptexctl create [--host-identity] [--replace] --identifier IDENTIFIER --version VERSION PATH-TO-DMG cryptexctl create [--identity IDENTITY-PLIST] [--replace] [--ALGO CRYPTO-ALGORITHM] [--CEPO CERTIFICATE-EPOCH] [--BORD BOARD-ID] [--CHIP CHIP-ID] [--ECID ECID] [--SDOM SDOM] [--CPRO CERTIFICATE-PRODUCTION-STATUS] [--CSEC CERTIFICATE-SECURITY-MODE] [--EPRO EFFECTIVE-PRODUCTION-STATUS] [--ESEC EFFECTIVE-SECURITY-MODE] [--BNCH NONCE-HASH] --identifier IDENTIFIER --version VERSION PATH-TO-DMG DESCRIPTION cryptexctl create creates a new cryptex(5) from a disk image. The disk image must encapsulate an HFS+ filesystem with a hierarchy as described in cryptex(5). The result will be a directory with a "cptx" file name extension. This bundle contains four objects: - cpxd - ltrs - c411 - im4m Together, these objects comprise the cryptex. They are not independently useful. The cryptex will be personalized for the target device by sending mea- surements of the disk image content and the identity of a device to Apple's trusted signing service (tss.apple.com). In most cases the device identity will be retrieved by cryptexctl create from either the host, if the host is running a cryptexd(8) daemon, or from a connected device (See the --udid option on the root cryptexctl(1) command.) If the device cannot be connected directly the identity can be specified either on the command line directly or using the --identity-plist argu- ment. See DEVICE IDENTIFIERS. OPTIONS A list of options with their descriptions. See DEVICE IDENTIFIERS for the identity arguments. Required: -i | --identifier IDENTIFIER A reverse-ICANN identitifer for the cryptex -v | --version VERSION The CFBundleVersion-style version number for the cryptex PATH-TO-DMG The path to the disk image file from which the cryptex will be created -- the disk image must encapsulate an HFS+ file system containing a cryptex(5) filesystem hierarchy. Optional: -o | --output-directory OUTPUT-DIRECTORY The directory to which the cryptex should be written. Upon successful completion, this directory will contain a direc- tory named for the given IDENTIFIER, which will contain the cryptex's constituent personalized objects [default: the current working directory] -r | --replace Replace the cryptex in OUTPUT-DIRECTORY if it already exists. The old directory will be rename(2)ed into a temporary direc- tory rather than being deleted outright. -I | --identity-plist IDENTITY-PLIST Path to a property list whose root node is a dictionary con- taining a set of key-value pairs for each aspect of device identity. The keys are the same as argument names (BORD, CHIP, etc.) and the values are all integers; defaults to the value of the environment variable CRYPTEXCTL_CREATE_IDENTITY. For an example of such a property list, see EXAMPLES. -H | --host-identity Use the host's identity for the personalization; if specified all other identifiers are ignored -X | --apple-connect Use AppleConnect credentials. Mostly useful for Apple inter- nal development. -M | --allow-mix-n-match Personalize with the AMNM entitlement. Only useful for Apple internal development. DEVICE IDENTIFIERS These tags can be retrieved from a device with cryptexctl-identity(1) for offline personalization or retrieved automatically for the host or a con- nected device. For convenience the identity can be specified as a property list with --identity-plist. The property list's root node is a dictionary contain- ing a set of key-value pairs key-value pairs for each aspect of the device identity. The keys are the same as the argument names (BORD, CHIP, etc). The following components comprise a host identity for cryptex personal- ization. For more information about these tags and the personalization process, see cryptex-image4(7). ALGO The crypto algorithm employed by the target device. Valid values are: sha1, sha2-384 [default: sha2-384] CEPO The certificate epoch of the target device BORD The board identifier of the target device CHIP The chip identifier of the target device ECID The unique chip instance identifier of the target device SDOM The security domain of the target device [default: 0x1] CPRO The certificate production status of the target device [default: 0x1] CSEC The certificate security mode of the target device [default: 0x1] EPRO The effective production status of the target device [default: 0x1] ESEC The effective security mode of the target device [default: 0x1] BNCH The nonce hash to use for the personalization. Can be retrieved with cryptexctl-nonce(1). [default: all zeros] ENVIRONMENT CRYPTEXCTL_CREATE_IDENTITY Sets the default value for --identity-plist. This is useful when personalizing for an offline or disconnected device. CRYPTEXCTL_UDID Read by the base cryptexctl(1) command to select the device on which to operate when the --udid option is not specified and there is no cryptexd(8) daemon on the host. See cryptexctl(1) for more information about CRYPTEXCTL_UDID. EXAMPLES The following is an example of the content of a property list that might be passed to --identity-plist to personalize for an offline device. ALGO sha2-384 CEPO 0x0 BORD 0x6 CHIP 0x8015 ECID 0x184d610044a83a SDOM 0x1 CPRO CSEC EPRO ESEC SEE ALSO cryptexctl(1), cryptexctl-identity(1), cryptexctl-install(1), cryptexctl-nonce(1), cryptex(5) HISTORY Introduced in macOS 11.0 Darwin 28 September, 2020 Darwin